Evidence The Pirate Bay Move To North Korea Was A Prank, In Understandable Terms

49

Infrastructure – Rick Falkvinge

Infrastructure – Rick Falkvinge

Yesterday’s big story was definitely about The Pirate Bay having moved to North Korea. If you asked the Internet’s infrastructure, the net itself would tell you about the move, and The Pirate Bay issued a press release confirming the story. But reports surfaced that it could have been an elaborate hoax, and closer inspection proves that.

The problem with verifying the story or its debunking was the technical level of expertise required to understand the reports. When you started talking about “traceroutes” and “whois lookups”, you would lose 99.9% of the audience, who would be incapable of independently verifying what you said. When you added in the reports claiming to debunk the story, but which were instead about “Border Gateway Protocol” (BGP) and “Autonomous Systems” (AS) numbers, you lost another 99.9% – including me.

I can’t verify or disprove the report based on BGP and AS numbers. But there’s something else I can use. The laws of physics.

I’m going to focus on the traceroute quoted below. You can think of it in terms of a telephone line trace. It is a list of the way the signals go from your computer to The Pirate Bay. To illustrate, the first hop in the chain from my workstation is my firewall (named firewall.internal.falkvinge.net), and my ISP alltele is visible as a next step in hop #4. The crucial evidence here is in the timings: my firewall is 379 microseconds away from me, and my ISP is 3.3 milliseconds away from me.

You, too, can run this trace from where you are. Open a prompt (in Windows, it’s Windows+R, then cmd and Enter, on a Mac, you run Terminal, and on any flavor of GNU/Linux, you hit Ctrl-Alt-T) and run traceroute thepiratebay.se – on some systems, the command is just tracert thepiratebay.se. It should produce a document similar to the one below.

So we see 22 hops in the trace, where the last one was famously in North Korea, almost a full second from where we are sitting, 700 milliseconds out. But let’s not look at that for a moment, let’s look instead at hops #16 to #17. Hop #16 is in Frankfurt and hop #17 is in New York or Kansas City. Let’s assume New York; that’s where the transatlantic cables land. Yet, in the trace, they are eight milliseconds apart.

Let’s focus on this. The distance from Frankfurt to New York (measured in Internet signalling time) is reported to be just over twice the distance from my firewall to my ISP. This sets us thinking. What is the physical distance from Frankfurt to New York?

The distance from Frankfurt to New York is 6,195 kilometers.

The physical distance that hop #17 has to cover is 6,195 kilometers. It covers this hop in eight milliseconds. Here, let’s take a look at the laws of physics. What is the speed of light? What is the limit, as told by the laws of physics, to how fast the signals in a fiberoptic cable can cover this distance?

The speed of light is exactly 299,792,458 meters per second. To cover 6,195,000 meters, light needs 0.020 seconds, or 20 milliseconds. But we just saw that the traceroute reported eight milliseconds for this jump. That’s troubling. More precisely, this violates the laws of physics. The traceroute claims that internet signals travel at more than twice the speed of light.

This hop in the traceroute violates the laws of physics. And with that one hop in the traceroute proven to be impossible, the whole traceroute is shown to be an elaborate hoax.

Just to double-check, I am getting ping times of 30-ish milliseconds to the Frankfurt address from Stockholm, Sweden, and ping times of 110 milliseconds to the New York address. Differences of 80-ish milliseconds seem much more reasonable than the eight milliseconds claimed in the traceroute.

So how do you fake a traceroute to this degree? You meddle with the deepest routing logic of the Internet, that’s how. That kind of wizardry goes beyond my horizon. But after observing that the traceroute violates the laws of physics, I can tell with certainty that it is faked.

As Anna Troberg, leader of the Swedish Pirate Party, wrote yesterday; “The joke’s on you. The Pirate Bay is enormously skilled at two things: keeping their site online and lulzing the establishment.”

So with this evidence in hand, where in the world is The Pirate Bay? San Diego? Austria? Cambodia? Still in Oslo? Nobody knows at the moment. Hacking the internet to this degree is deep wizardry far beyond my ability to untangle it.

UPDATE: Some have pointed at the fact that Level3 is a U.S. provider, and that they could name their U.S. routers “Frankfurt”, and that the transatlantic hop actually happened between hops #14 and #15, a hop of 80 milliseconds. This is plausible on first thought. Then again, a geographic lookup places hop #16 in Frankfurt, and I have a ping to hop #16 of 30ms, and to hop #17 of 110, as stated in the article. As usual, there’s no authoritative source for anything and we have to add all the data together to see what we believe or not. Personally, I don’t think the trace hits Level3 at all, I think that entire part is faked. Above all, I don’t think anymore that The Pirate Bay is in North Korea.

UPDATE 2: One way to tell a fake traceroute is to trace it from multiple locations around the globe. In this case, another telltale sign is a traceroute from within Level3, which is a big internet service provider. You will notice the trace starts in Dallas at Level3, moves to Amsterdam, from there to Dresden and Frankfurt, then back to Level3 and then the rest of the route. Anything starting out at Level3, jumping to a different continent, and then going back to Level3 is faked with near-damn-certainty. So everything after Frankfurt is faked; the route above never hits Level3 at all. Is Frankfurt fake too? Well, who knows. But Level3 almost certainly is.

You've read the whole article. Why not subscribe to the RSS flow using your favorite reader, or even have articles delivered by mail?

About The Author: Rick Falkvinge

Rick is the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. He has a tech entrepreneur background and loves whisky.

Since Level3 is a major US-based network provider with over 11000 employees, your story seems less likely than that TPB is hosted in North Korea. Have you considered that there might be alternative explanations? The hostnames of those servers might say Frankfurt and New York, but that doesn’t mean that the servers are actually there – they could be somewhere inbetween the cities.

Actually, I just did some extra digging, and no matter where I do the traceroute from (Asia, USA, home), the packets always seem to go to Germany or Amsterdam before going through the (fake) Level3 network.

Given that thePirateBay’s predator ignores national boundaries and laws, then thePirateBay needs to protect itself by borrowing ideas from nature and make use of/develop prey obfuscation tech. Laying down false scent trails is a damned fine first step.

Lets not get fooled by the city names of the routers. Both Frankfurt1 and NewYork1 are on the Level3.net domain. Level3 can easily name their sub domains to whatever they want. Also look at the IP-adresses. All Level3.net addresses uses network 4.69.0.0 while ntt.net uses 129.250.0.0.
Frankfurt1 is probably Level3’s gateway to Europe located in the US.

The transatlantic jump probably is between ntt.net and level3.net, which is about 80ms.
/B

Lets not get fooled by the city names of the routers. Both Frankfurt1 and NewYork1 are on the Level3.net domain. Level3 can easily name their sub domains to whatever they want.

This is true, but a geolookup also placed hop #16 in Frankfurt, and most importantly, I am getting pings of 30ms to that address from Stockholm, which means it has to be in Europe. (In contrast, I’m getting 110ms to the next hop.) I mention this in the article.

The traceroute would look like the transatlantic jump took place between hops #14 and #15, but independent timings will show you that addresses #16 and #17 are the ones on opposite sides of the Atlantic.

Explaining, the traceroute ping each ip on the way to the final destination, when it show you a number, it is the latency from your conection to that point. Each new ip on the way is pinged separately, and have almost no connection the other results.
An example is to make a really long traceroute, put a heavy load in your connection in the first steps, then, stop the load during the middle of the test. The results of the last steps of the tracerout will probably be smaller than the first ones…
Or did I just discover how to bend space and time?? I’m going to be rich!!!

I don’t doubt that TPB is not in North Korea, I was just pointing that the analysis had a mistake.
As for the topic itself, I don’t think that moving to Korea is impossible, but I think this would only occur in the last resort, and it seems that they still have many other options in the moment…

RuDy is correct, it is incorrect to make meaningful deductions about the distance between particular links/hops the way this blog article does, for at least two reasons. One is that each number in the list is arrived at via independent ICMP packet, which means it’s subject to ‘noise’ due to vagaries of whatever was happening along the route at that time. Secondly, just because something is named ‘Frankfurt’, doesn’t mean it’s in Frankfurt.

One is that each number in the list is arrived at via independent ICMP packet, which means it’s subject to ‘noise’ due to vagaries of whatever was happening along the route at that time.

Right, so I collected a lot more data than the one displayed to be sure of my conclusion, I just didn’t want to dilute the reasoning by starting to explaining how ICMP traceroutes work. That was not the point of the article.

Secondly, just because something is named ‘Frankfurt’, doesn’t mean it’s in Frankfurt.

This is true, but a geolookup also placed it in Frankfurt, and most importantly, I am getting pings of 30ms to that address from Stockholm, which means it has to be in Europe. (In contrast, I’m getting 110ms to the next hop.) I mention this in the article.

Traceroute theory of operation is to send a series of packets (UDP, ICMP, or occasionally TCP, depending on the OS and the options you’ve selected), incrementing the TTL on each one by one. Then, the TTL exceeded messages received from each stop along the way are your intermediary routers. The issue with your analysis is that the traceroute is not a stream of a single packet’s journey; instead, it’s multiple packets. Therefore, to make the determination you did, you would have to conduct many traceroutes (or craft individual packets with corresponding TTLs, e.g. via “ping -i” on Windows or “ping -t” in *NIX) and then see if the difference continued to appear. One other source of concern is that not all routers treat TTL Exceeded the same way; if the near-side router takes its time before sending it, then the far-side router will appear correspondingly closer.

Your overall point is still a valid one, and this is a useful sanity check technique. But you can’t rely on it to conclusively prove where a given route goes. A much better technique is to look at the total round-trip time; this can disprove a location (e.g. when you’re able to reach it in a RTT of 80 ms, but even a perfect and direct cable would require 100 ms), but it cannot prove one. In this case, there’s not enough data to acquire even that level of certainty.

The issue with your analysis is that the traceroute is not a stream of a single packet’s journey; instead, it’s multiple packets.

Indeed. I performed this op multiple times to be reasonably certain of my data, but chose not to go into that level of technical detail in the writeup, as it would seriously dilute the understandability of the article.

does it really matter where they are as long as they are safe and away from being hounded like a serial killer by the USA govt and entertainment industries? they need to keep away from them as all they are after is to monopolize the internet for their own purposes. TPB are preventing that atm and i hope they can continue to do so. can you people imagine what the internet would be like if it was totally under the control ot the USA and their entertainment industries? Jeez, we think things are bad in places like Iran for restrictions and spying on citizens. that wont have a patch on what these fuckers will be stopping the people from doing. the USA govt have gotten so concerned over terrorist attacks, they are doing all the work for the terrorists, just like i remember reading something supposedly said by Bin Laden. when you become so scared of someone that you fear even your own people, the someone doesn’t have to do anything anymore, you are doing it all for them! how crazy is that??

Is this the first common host, regardless of where in the world the traces are made from?

After this address the route goes to no-name 213.198.77.122, then a timeout and back to the ntt.net with an IP-address very close to the one above (129.250.5.62). Those addresses must be on the same network segment, but why should it then be two hops in between?

129.250.5.61 was my first common point. I did also see that one server named to be in ny and one in Frankfurt both with the 129.250.4 prefix.

However on the screenshot above where it times out two links later, I have an additional link to an IP 31.17.2.1.10, which actually is in Germany. After that my list doesn’t resemble this at all. I connect to a number of sprint servers in the states, the second last connection is a Chinese email service, and then the NK address.

So, you’ve decided that because the latency between two hops along the route do not correspond to the geographical location they would be located in — which you can only guess based on only the names the devices were given — then the final destination in the route itself is also suspect?

Wow! To paraphrase Billy Madison, everyone who reads this forum is now dumber for having read your post.

Have you considered that names of the routers in Level3 don’t necessarily correspond to their actual geographical location?

More than likely, your packets traversed the Atlantic at hop 14.

Hops 15, 16, 17, and 18 are all on the same continent given the latency between them. But again, that’s just a best guess I can make without knowing in detail how Level3 have their network mapped out.

no need to involve physics. just do a comparison of the routes to (for example) kcna.kp, which I’m fairly sure is in north korea, the hop before the alleged pirate bay server (175.45.177.194), and thepiratebay.se. why are the routes identical in the first two cases, but not in the third? also, a simple httping to kcna.kp should tell you what kind of round trip time to expect if you were to ping an actual server in north korea. just compare that metric to thepiratebay.se.

Well, how about the moon? After Sealand, the flying droids and all those stunts (amusing as they may be), what can you expect from TPB? At this point I might doubt Anakata is actually in prison: he could be in his mother’s basement grounded for letting porn ads run in his webpage. It’s all a big smoke screen. Again. I like their stunts, but TPB is just a webpage making ad money, not a champion of liberty, so I really don’t see a reason to dwell into this.

You can also check time to establish a TCP session with some suitable tool[1] to the actual server to get a pointer of the distance, as an alternative to analyzing a traceroute.
For example, a session from a Swedish server:

This looks a bit like a blend of different methods meant to fools someone.

In addition to the already mentioned methods, 175.45.177.194 looks like an IP with incorrect geoip data in most or all geoip databases. Given the strained relationship between North Korea and the US, the very limited internet use in North Korea, and the limited number of IPv4 IPs, it wouldn’t be very astonishing if an IP that was originally intended for North Korea, ended up somewhere else. Actually, it isn’t very unusal that geoip data is incorrect, it happens quite often, but the fact that it points to North Korea indictates a deliberate act.

Anyway, when I make a lookup on thepiratebay.se, it says it’s IP is 194.71.107.15 which different ip tool websites either put into Germany or Sweden (conveniently showing that geoip databases are not reliable).

“TPB is just a webpage making ad money” and “Kim Dotcom is just a business man” are statements that are true, but they also do not tell the whole story.

I used to enjoy a comic called Asterix as a child, and TPB reminds me of that little town that resisted the Roman occupation. If you have followed the story for a long time, you know how laws have been changed based on “international obligations” (= what the local population was told) but actually trade and other agreements (WCT/WPPT,TRIPs) mainly based on the input from industry lobbyists/”experts”. Back in 1996 people that were lucky enough to have the Internet, outside of student dorms, were on dial-up. MP3s were just “invented” the year before.

These things were decided when they were off the regular populations radar.

Then there are the judges, some of whom are members of “IP Protection Grops” where they socially interact with plaintiffs on a regular basis, and I believe Rick even revealed a judge was in a business venture with plaintiffs. And they always refuse to recuse themselves. And can’t be get rid of any other way, as they are always “believed to be impartial”. Just like at one time the Sun revolved around the Earth.

TPB goes against all this, for whatever reasons, it’s existence is a shining beacon of defiance to the powerless against the rule of the Corporations.

Rick, there’s no “hacking the Internet” happening here. Traceroute relies on the ICMP Time Exceeded packets (see http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol). When you want to fake traceroute results, you do it like this:
– capture and drop any packets with TTL value in IP packet header under certain threshold (e.g. the number of fake hops you want to return, see http://en.wikipedia.org/wiki/IPv4 for IPv4 header structure)
– wait certain amount of time according to the TTL value (to fake geographical distance between hops)
– send back ICMP Time Exceeded packet with fake source IP address and a modified TTL value (to match the number of fake in-between hops)

That’s it! If you want to take this stunt even further, you can use geoIP database on the traceroute sender and choose fake hops dynamically so that the traceroute doesn’t look suspiciously long when the packets should be taking a shortcut. The only way to debunk this kind of hack is to run several traceroutes from different parts of the world (from places where one traceroute should be taking a shortcut according to another).

Of course the great Democratic Republic of North Korea has invented time travel (currently only at the millisecond level), which will fool every onlooker. We are anxiously awaiting the announcement whether it was Kim Il Sung, Kim Jong Il or Kim Jong Un who came up with the idea.

It would not surprise me if TPB had been secreted amidst the collective smartphones of the world, very decentralized, without awareness of the users. Or perhaps TPB have corrupted the servers of global governments thus they are using the collective servers of the power-elite. TPB reminds me of The Stainless Steel Rat.

While I don’t contest your conclusion, I think you missed an important bit. The fact that your traceroute shows the Frankfurt hop at 122.293 ms and the NewYork one at 130.630 ms does not automatically imply that packets travel between the hops in 8.337 ms. These times are the times taken for each ICMP packet to reach the relevant hop and come back. The packet that got to Frankfurt in 122.293 ms was a different packet than the one that got to NewYork in 130.630 ms. They can easily take different routes, even consistently so.

I’m not even going to attempt to explain how BGP4 works, so I hope you’ll be willing to take my word for it that TPB owns a /24 with their own AS Number, & is currently* single-homed via Level 3 / NTT America, most likely in Frankfurt, Germany. I was actually quite surprised by this, as I would’ve expected them to have a more complex setup.

PS: The stuff that shows up in traceroutes is pretty much irrelevant to this discussion, as the rDNS displayed by Traceroute is simply whatever host name the owners of a given IP address choose to assign to it. Calling a particular hop ‘fi1.phobos.mars.level3.net’ doesn’t actually mean that your packet went to Mars. Sure, it’s common practice to name transit points somewhat geographically, but there’s no rule requiring it.

About The Author

Rick is the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. He has a tech entrepreneur background and loves whisky.